I am planning on upgrading our 1 VLAN, switched network. Just to note I am aware of, that some of the equipment I am thinking of is EOL, but I guess they are still a pretty good piece of equipment for currently very little money!?
For the main office I had a redundant collapsed core/distribution & access infrastructure layout (WS-C4500X & 2960S) in mind with probably a separate redundant "server farm" segment (probably 2x 3560X or 3750X Layer 3 - sorry but nexus is way too expensive for the moment).
Note: A lot of large customers we are dealing with/tendering for work with (local authorities and some state owned utility companies) would have a similar larger setup and to put us into a better position going forward I have put in an upgrade request with board of management.
The switches will be all interconnected via SFP+
We are also planning on opening a new site office shortly which I want to connect via a Site-2-Site VPN Tunnel to the main office. No leased lines or Frame Relay/MPLS connection are planed, both sites will have an ethernet based broadband connection for the moment
I was going to get either a 2691 or a 3725 with AIM-VPN/EPII-PLUS and IOS AdvSec/AdvIPServ for the main office and a 2621XM with AIM-VPN/BPII-PLUS and IOS AdvSec for the site office to create/and setup the VPN and also to be able to avail of the IOS Firewall services. You can get them quite cheap with 1, up 2 to year hardware exchange warrenty at the moment!
The main office will hopefully - eventually - get also a redundant ASA with 2 different ISPs upgrade - part of the above mentioned network upgrade request.
My question now: I am not too sure now, where to best plan in the main offices Router/Firewall? What devide should comes first/last - going out to the Internet. Or does it not matter? Router first, the Firwall last or the other way around? I have seen different network diagrams example on the internet showing either way. What are the differences, pros and cons?
The Routers main responsibility was to be to do the NATing & VPNing.
For the site office the 2621XM will also - always - act as the main firewall. The router for the main office will act temporarily only as a firewall until it will be replaced by the redundant ASA.
Would it be better practice/securer to have the VPN coming in after the firewall or before - to have the VPN traffic packets inspected as well!?
Obviously what ever device does the NATing, needs to be sitting last! ASA could do the NATing as well!?
Or would it make sense to keep both in place, to get a second router for the main office for the redundant ISP connection (when the ASA is installed and setup) and have some sort of Perimeter network and use ASA and the router firewall at the same time?
Any thoughts, suggestions, tips and recommendations would be really appreciated
Regards from Ireland
If you are considering an ethernet based broadband (assuming ethernet drop), why dont you put in a dedicated FW, that can provide VPN/NAT and other security related functionality, rather then a router with a NM?
A couple of diagrams would help support your question a lot.
What is the connection to the ISP like? BGP?
How much redundancy do you need?
Will you use an IGP?
Is this for a nonprofit? The hardware you are citing is really old.
The very basic would be an ASA that has a static default route to your ISP, does NAT, VPN, firewalling, and your IGP.
Any more advice would require more info about what you need.
Sent from Cisco Technical Support iPhone App